ATTACK FLOW
DAY 1
RDP
Brute Force
→
RDP Login
Administrator
→
privacy.sexy
110 commands
→
NetScan
Network Map
→
Cobalt Strike
PowerShell
↓
lactenin.exe
SMB to DC
←
privacy.sexy
on DC
←
RDP to DC
same creds
←
lactenin.exe
C2 beacon
↓
Threat Actor Kicked Out
DAY 2
RDP Back In
same IP
→
RDP to
Backup Server
→
Reconnect DC
Type 7
→
SSH Linux
FAILED
↓
Cloudflare Exfil
6900+ IPs
←
SMB File Collection
10 hosts
←
Download
agent.exe
↓
EXTORTION NOTES | 68 min | Host by Host | Personalized by Name
breachcache.com